1. Field of the Invention
This invention relates to the field of data security, authentication, as well as biometrics. It specifically relates to multi-factor authentication for conducting transactions, using a handheld device. It is also related to cryptography and key exchange encryption techniques such as symmetric and asymmetric hashing and encryption.
2. Description of the Related Art
Mobile devices such as smartphones, personal digital assistants (PDAs), as well as many other handheld devices are being used as authentication devices for financial as well as access transactions. In some countries these devices are providing the means for cash transactions in the same way a debit card is used. Some African countries have even been using these devices as prepaid credit devices which may be used for cash transactions simply by having the credit transferred from one phone to another. These are mostly done using the mobile network.
ICT Regulation Toolkit is a toolkit which is generated by the Information for Development Program (InfoDev) and the International Telecommunication Union (ITU). A Practice Note [ICT Regilation Toolkit, 2011] gives many different examples of financial services which are available through the use of a mobile phone. These include, Branchless Banking Models, such as the WIZZIT service [Crotty, 2005] in South Africa, Mobile Payment systems such as M-PESA in Kenya, Globe Telecom G-Cash service in the Philippines, and Airtime Transfers [Vodafone Group Plc., 2007] in Egypt, South Africa, and Kenya. See [ICT Regilation Toolkit, 2011] for details.
However, the listed transactions currently rely on one or two of the following two authentication factors:
1. Possession of an item (something one owns).
2. Knowledge of an fact (something one knows).
In the scenario of Paragraph 2, the phone is being used as an item being owned (1st authentication factor). In this case, if the phone is stolen or used without permission, one or more transactions may take place before the phone may be deactivated or the credit may be blocked. In fact, technically, the possession of the phone is equivalent to the old standard of possessing currency.
To reduce the chance of the fraud described in Paragraph 5, some implementations also require another factor in the form of something the person knows (2nd factor), such as a challenge passcode. However, most such passcodes are simple to ascertain and to abuse in order to attain unlawful access to the funds associated with the telephone.